The present invention relates to the communications field, and in particular, to a detection method, an apparatus, and a network with detection functions. The present invention solves the problem that the Botnet cannot be detected on a current communication network. The detection method is used to detect a Botnet and includes: obtaining a network address translation (NAT) table; detecting a behavior plane and a communication plane of a host according to the NAT table; and performing cluster analysis on results of detection on the communication plane and the behavior plane.
Legal claims defining the scope of protection, as filed with the USPTO.
1. A method for detecting a zombie host by an operator network located externally to a user side network, comprising: obtaining a network address translation (NAT) table; detecting, by a detection apparatus on the operator network, a behavior plane and a communication plane of a host on a user-side network according to the NAT table; and analyzing a result of detecting the behavior plane and the communication plane of the host according to the NAT table to judge whether the host is the zombie host, wherein the analyzing the result further comprises: comparing features of zombie IP streams detected on the behavior plane with features of IP streams detected on the communication plane, and determining that the zombie IP streams exist on the communication plane when the compared features of the zombie IP streams and the compared features of the IP streams are the same.
2. The method of claim 1 , wherein the NAT table is a mapping table that records mapping between an internal private network host identity (ID) and an Internet Protocol (IP) address, wherein the IP address is a public IP address used by the host to perform external communication through a NAT device.
3. The method of claim 2 , wherein the host ID comprises a media access control (MAC) address of the host or a user name or an internal private IP identifier.
4. The method of claim 1 , wherein the step of detecting the behavior plane and the communication plane of the host according to the NAT table comprises: according to various behaviors of a single host, judging whether the host is engaged in suspicious behaviors, wherein the suspicious behaviors comprise at least one of the following behaviors: downloading malicious software, scanning, sending malicious software, and sending a junk mail; and using data streams as a detection target, and checking communication features of an Internet Protocol (IP) layer and a transport layer.
5. The method of claim 1 , wherein detecting the communication plane is implemented by using a Netflow technology.
6. The method of claim 1 , wherein the detection apparatus is integrated with an edge router on the operator network.
7. An apparatus, located on an operator side network, for detecting a zombie host located on a user side network that is external to an operator side network, the apparatus comprising a processor and a non-transitory memory storage coupled with the processor, the non-transitory memory storage comprising: a first module, configured to obtain a network address translation (NAT) table; a second module, configured to detect a behavior plane and a communication plane of a host according to the NAT table; and a third module, configured to analyze a result of detecting the behavior plane and the communication plane of the host according to the NAT table to judge whether the host is the zombie host; compare features of zombie IP streams detected on the behavior plane with features of IP streams detected on the communication plane, and determine the zombie IP streams exist on the communication plane when the compared features are the same.
8. The apparatus of claim 7 , comprising a NAT log server, a Netflow collector, and a network behavior log server, wherein: the NAT log server is configured to maintain the NAT table; the Netflow collector is configured to: maintain a communication plane flow table, compare a data time stamp with a time stamp of the NAT table, and determine translation entries to be matched in the NAT table; and the network behavior log server is configured to: maintain a behavior plane attack alarm table, search the NAT table for entries that match a source Internet Protocol (IP) address, a source port, and a NAT device identity (ID) according to the attack alarm table, and translate the source IP address and the source port into a public IP address and port according to the NAT table.
9. The apparatus of claim 8 , wherein the NAT table is a mapping table that records mapping between an internal private network host ID and an IP address, wherein the IP address is a public IP address used by the host to perform external communication through a NAT device.
10. The apparatus of claim 8 , wherein the NAT log server is further configured to age the NAT table periodically, wherein the aging time of old entries is longer than that of the flow cache.
11. The apparatus of claim 7 , further comprising: an edge router on the operator network; wherein the edge router on the operator network is integrated with the processor.
12. A network for detecting a Botnet located on an internal private network, comprising at least the internal private network, at least one Internet service provider (ISP) network external to the internal private network, and a detection apparatus located on the ISP network, wherein a host on the internal private network accesses the ISP network through a network address translation (NAT) device and an edge router of the ISP network and the detection apparatus comprises a processor and a non-transitory memory storage coupled with the processor, the non-transitory memory storage comprises: a first module configured to obtain a network address translation (NAT) table; a second module configured to detect a behavior plane and a communication plane of the host according to the NAT table; a third module configured to analyze a result of detecting the behavior plane and the communication plane of the host according to the NAT table to judge whether the host is a zombie host, compare features of zombie IP streams detected on the behavior plane with features of IP streams detected on the communication plane, and determine the zombie IP streams exist on the communication plane when the compared features are the same.
13. The network of claim 12 , wherein the NAT device has a mapping table between a host identity (ID) and an IP address, wherein the IP address is a public IP address used by the host to perform external communication through the NAT device.
14. The network of claim 13 , wherein the host ID comprises a media access control (MAC) address of the host or a user name.
15. The network of claim 12 , wherein the detection apparatus is utilized for detecting the zombie host and configured to detect the Botnet and comprises a NAT log server, a Netflow collector, and a network behavior log server, wherein: the NAT log server is configured to maintain the NAT table; the Netflow collector is configured to: maintain a communication plane flow table, compare a data time stamp with a time stamp of the NAT table, and determine translation entries to be matched in the NAT table; and the network behavior log server is configured to: maintain a behavior plane attack alarm table, search the NAT table for entries that match a source Internet Protocol (IP) address, a source port, and a NAT device identity (ID) according to the attack alarm table, and translate the source IP address and the source port into a public IP address and port according to the NAT table.
16. The network of claim 12 , wherein the NAT device is a gateway or a firewall.
17. The network of claim 12 , wherein the edge router on the ISP network is integrated with the detection apparatus.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
September 21, 2011
January 7, 2014
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.